Chapter 12 Load Balancing for FortiOS 5.0 : Configuring load balancing : SSL/TLS load balancing : SSL offloading
  
SSL offloading
Use SSL offloading to accelerate clients’ SSL or HTTPS connections to real servers by using the FortiGate unit to perform SSL operations (offloading them from the real servers using the FortiGate unit’s SSL acceleration hardware). FortiGate units can offload SSL 3.0 and TLS 1.0. SSL offloading is available on FortiGate units that support SSL acceleration.
To configure SSL offloading from the web‑based manager go to Firewall Objects > Load Balance > Virtual Server. Add a virtual server and set the type to HTTPS or SSL and select the SSL offloading type (Client <-> FortiGate or Client <-> FortiGate <->Server).
Select Client <-> FortiGate to apply hardware accelerated SSL processing only to the part of the connection between the client and the FortiGate unit. This mode is called half mode SSL offloading. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator.
Select Client <-> FortiGate <->Server to apply hardware accelerated SSL processing to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. This mode is called full mode SSL offloading. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration.
Figure 291: SSL Offloading modes
Configuring SSL offloading also requires selecting a certificate to use for the SSL offloading sessions. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
The following CLI command shows an example half mode HTTPS SSL offloading configuration. In the example the ssl-mode option sets the SSL offload mode to half (which is the default mode).
config firewall vip
edit Vserver-ssl-offload
set type server-load-balance
set server-type https
set ldb-method round-robin
set extip 172.20.120.30
set extintf wan1
set extport 443
set persistence ssl-session-id
set ssl-mode half
set ssl-certificate my-cert
set monitor t cp-mon-1
config realservers
edit 1
set ip 10.31.101.30
set port 443
next
edit 2
set ip 10.31.101.40
set port 443
end
end